Nerius Landys wrote:
> First, my choise of internal network IP addresses is 192.168.0.x. My
> router machine's IP address will be 192.168.0.254 (that's the
> interface facing the internal network). The IP addresses of the
> machines behind the router will start at 192.168.0.2 and go up. I'm
> wondering if this choice of IP addresses is conventional or good. Is
> this numbering scheme decent? This is the way I had it set up
> earlier. I've seen a lot of networks using 192.168.1.x and the router
> would be 192.168.1.1.
Whichever works. I don't think there is reason to speculate in "best
practices" as which gets to be number 1, however you may consider
dividing the address space into ranges for different uses. You may like
to group servers in a particular range and clients in another so that
you can create firewall rules accordingly.
My network is 172.16/23. The range 172.16.0/24 I use for statically
configured nodes, servers, access points etc. The 172.16.1/24 I use for
dynamically configured nodes, laptops.
The reason is that I'm using dynamic dns on my LAN. The reverse map
zones cannot be created for classless networks, you have to define
reverse zone for a /16 or /24 network. So to ensure that my static
servers reverse map cannot be modified I have split my range such that
dynamic and static addresses can be separated.
For my static range, I have divided it into two, 172.16.0.0/25 and
172.16.0.128/25, the first for production servers, the later for testing
and development. This is just a convention I have established, I thought
it might be a good idea, but it is not configured in any way.
For my dynamic range, in my dhcpd configuration I have created two
ranges, 172.16.1.0/25 and 172.16.1.128/25.
The first I assign to known hosts, that is hosts I have registered the
MAC address of and know the owner. I haven't statically assigned a
particular ip to a particular MAC, I just created a host entry in the
dhcpd.conf with the MAC.
The later range I use for unknown hosts, so when somebody connects they
are easy to identify as foreign. This also permits creating special
rules in my firewall so that strangers do not get the same unlimited
access as friends. Of course, this is very crude as anyone can just
reconfigure their address to get unlimited access, but
> So now to the problem of being able to connect from a 192.168.0.x
> machine to an outside IP address. The way I did this before was by
> adding 'gateway_enable="YES"' to /etc/rc.conf and then using the
> OpenBSD packet filter (pf) to do a NAT thing. I'm wondering if this,
> in your opinion, is the preferred way to do things in order to set up
> an internal network which can access the outside internet directly.
Yes, that's a great idea.
> If so, can someone give me a really minimal yet secure packet filter
> rule set that would do the job? (I'm prepared to read the pf docs,
> which will take me a few hours.) The router will connect to the
> outside via DHCP, and from what I remember I had to add a rule to not
> drop packets that were DHCP-related.
See the packet filter documentation, IIRC they have also sample filters
for common setups such as yours.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org